@everystack/cli 0.1.0

package/src/cli/commands/certs.ts

@@ -0,0 +1,117 @@
+import fs from 'fs/promises';
+import path from 'path';
+import forge from 'node-forge';
+
+const { pki, md, random, util } = forge;
+
+export async function certsCommand(action: 'generate' | 'configure', flags: Record<string, string>): Promise<void> {
+  if (action === 'generate') {
+    await generateCerts(flags);
+  } else {
+    await configureCerts(flags);
+  }
+}
+
+function toPositiveHex(hex: string): string {
+  // Ensure the serial number is positive by prepending '00' if high bit is set
+  if (hex.length > 0 && parseInt(hex[0], 16) >= 8) {
+    return '00' + hex;
+  }
+  return hex;
+}
+
+async function generateCerts(flags: Record<string, string>): Promise<void> {
+  const outputDir = flags.output || './certs';
+  const commonName = flags.cn || 'everystack';
+  const validityYears = parseInt(flags.years || '10', 10);
+  await fs.mkdir(outputDir, { recursive: true });
+
+  // Generate RSA key pair using node-forge
+  const keyPair = pki.rsa.generateKeyPair(2048);
+
+  // Create self-signed X.509 code signing certificate
+  const cert = pki.createCertificate();
+  cert.publicKey = keyPair.publicKey;
+  cert.serialNumber = toPositiveHex(util.bytesToHex(random.getBytesSync(9)));
+
+  const now = new Date();
+  const expiry = new Date(now);
+  expiry.setFullYear(expiry.getFullYear() + validityYears);
+  cert.validity.notBefore = now;
+  cert.validity.notAfter = expiry;
+
+  const attrs = [{ name: 'commonName', value: commonName }];
+  cert.setSubject(attrs);
+  cert.setIssuer(attrs);
+  cert.setExtensions([
+    {
+      name: 'keyUsage',
+      critical: true,
+      keyCertSign: false,
+      digitalSignature: true,
+      nonRepudiation: false,
+      keyEncipherment: false,
+      dataEncipherment: false,
+    },
+    {
+      name: 'extKeyUsage',
+      critical: true,
+      serverAuth: false,
+      clientAuth: false,
+      codeSigning: true,
+      emailProtection: false,
+      timeStamping: false,
+    },
+  ]);
+  cert.sign(keyPair.privateKey, md.sha256.create());
+
+  // Export to PEM
+  const privateKeyPem = pki.privateKeyToPem(keyPair.privateKey);
+  const certificatePem = pki.certificateToPem(cert);
+
+  const privatePath = path.join(outputDir, 'private-key.pem');
+  const certPath = path.join(outputDir, 'certificate.pem');
+
+  await fs.writeFile(privatePath, privateKeyPem);
+  await fs.writeFile(certPath, certificatePem);
+
+  console.log(`Generated code signing certificate:`);
+  console.log(`  Private key:   ${privatePath}`);
+  console.log(`  Certificate:   ${certPath}`);
+  console.log(`  Common Name:   ${commonName}`);
+  console.log(`  Valid for:     ${validityYears} years`);
+  console.log(`\nKeep the private key secret. The certificate goes in your app config.`);
+}
+
+async function configureCerts(flags: Record<string, string>): Promise<void> {
+  const inputDir = flags.input || './certs';
+  const keyid = flags.keyid || 'main';
+
+  const certPath = path.join(inputDir, 'certificate.pem');
+
+  try {
+    await fs.access(certPath);
+  } catch {
+    throw new Error(`Certificate not found at ${certPath}. Run 'everystack certs:generate' first.`);
+  }
+
+  // Read app.json and add code signing config
+  const appJsonPath = path.resolve('app.json');
+  let appJson: any;
+  try {
+    appJson = JSON.parse(await fs.readFile(appJsonPath, 'utf8'));
+  } catch {
+    throw new Error('Could not read app.json');
+  }
+
+  const config = appJson.expo || appJson;
+  config.updates = config.updates || {};
+  config.updates.codeSigningCertificate = `./${path.relative('.', certPath)}`;
+  config.updates.codeSigningMetadata = {
+    keyid,
+    alg: 'rsa-v1_5-sha256',
+  };
+
+  await fs.writeFile(appJsonPath, JSON.stringify(appJson, null, 2) + '\n');
+  console.log(`Configured code signing in app.json (keyid: ${keyid})`);
+}

package/src/cli/commands/channels.ts

@@ -0,0 +1,109 @@
+export async function channelsCommand(subcommand: string, flags: Record<string, string>): Promise<void> {
+  switch (subcommand) {
+    case 'list':
+      await listChannels(flags);
+      break;
+    case 'create':
+      await createChannel(flags);
+      break;
+    case 'edit':
+      await editChannel(flags);
+      break;
+    default:
+      console.log('Usage: everystack channels <list|create|edit> [--name <name>] [--branch <name>]');
+  }
+}
+
+async function listChannels(_flags: Record<string, string>): Promise<void> {
+  const baseUrl = getBaseUrl();
+  const token = getToken();
+
+  const response = await fetch(`${baseUrl}/channels`, {
+    headers: token ? { authorization: `Bearer ${token}` } : {},
+  });
+
+  if (!response.ok) {
+    throw new Error(`Failed to list channels: ${response.status}`);
+  }
+
+  const channels = await response.json() as any[];
+  if (channels.length === 0) {
+    console.log('No channels found.');
+    return;
+  }
+
+  console.log('Channels:');
+  for (const ch of channels) {
+    console.log(`  ${ch.name} (created: ${ch.createdAt})`);
+  }
+}
+
+async function createChannel(flags: Record<string, string>): Promise<void> {
+  const name = flags.name;
+  if (!name) {
+    throw new Error('--name is required');
+  }
+
+  const baseUrl = getBaseUrl();
+  const token = getToken();
+
+  const body: Record<string, string> = { name };
+  if (flags.branch) {
+    body.branchName = flags.branch;
+  }
+
+  const response = await fetch(`${baseUrl}/channels`, {
+    method: 'POST',
+    headers: {
+      'content-type': 'application/json',
+      ...(token ? { authorization: `Bearer ${token}` } : {}),
+    },
+    body: JSON.stringify(body),
+  });
+
+  if (!response.ok) {
+    const resBody = await response.json().catch(() => ({}));
+    throw new Error(`Failed to create channel: ${(resBody as any).error || response.status}`);
+  }
+
+  console.log(`Channel "${name}" created.`);
+}
+
+async function editChannel(flags: Record<string, string>): Promise<void> {
+  const name = flags.name;
+  const branchName = flags.branch;
+  if (!name) {
+    throw new Error('--name is required');
+  }
+  if (!branchName) {
+    throw new Error('--branch is required (the branch to point this channel to)');
+  }
+
+  const baseUrl = getBaseUrl();
+  const token = getToken();
+
+  const response = await fetch(`${baseUrl}/channels/${encodeURIComponent(name)}`, {
+    method: 'PUT',
+    headers: {
+      'content-type': 'application/json',
+      ...(token ? { authorization: `Bearer ${token}` } : {}),
+    },
+    body: JSON.stringify({ branchName }),
+  });
+
+  if (!response.ok) {
+    const body = await response.json().catch(() => ({}));
+    throw new Error(`Failed to edit channel: ${(body as any).error || response.status}`);
+  }
+
+  console.log(`Channel "${name}" now points to branch "${branchName}".`);
+}
+
+function getBaseUrl(): string {
+  if (process.env.EVERYSTACK_URL) return process.env.EVERYSTACK_URL;
+  throw new Error('EVERYSTACK_URL environment variable is required');
+}
+
+function getToken(): string | undefined {
+  return process.env.EVERYSTACK_TOKEN;
+}

package/src/cli/commands/console.ts

@@ -0,0 +1,68 @@
+/**
+ * everystack console --stage <name>
+ *
+ * Interactive REPL that executes expressions inside the deployed Lambda.
+ * Each line is sent via IAM-authed Lambda invoke (_action: 'console').
+ * The Lambda evaluates with db, schema, and Drizzle operators in scope.
+ */
+
+import * as readline from 'node:readline';
+import { resolveConfig } from '../config.js';
+import { invokeAction } from '../aws.js';
+import { success, fail, info } from '../output.js';
+import { formatResult } from '../utils/table.js';
+
+export async function consoleCommand(flags: Record<string, string>): Promise<void> {
+  const stage = flags.stage;
+  if (!stage) {
+    fail('--stage is required. Example: everystack console --stage dev');
+    process.exit(1);
+  }
+
+  let config;
+  try {
+    config = await resolveConfig(stage);
+  } catch (err: any) {
+    fail(err.message);
+    process.exit(1);
+  }
+
+  success(`Connected to ${stage} (${config.region}) — ${config.apiFunctionName}`);
+  console.log('  Type expressions to evaluate. Ctrl+C or .exit to quit.\n');
+
+  const rl = readline.createInterface({
+    input: process.stdin,
+    output: process.stdout,
+    prompt: `everystack:${stage}> `,
+  });
+
+  rl.prompt();
+
+  rl.on('line', async (line) => {
+    const trimmed = line.trim();
+    if (!trimmed) { rl.prompt(); return; }
+    if (trimmed === '.exit') { rl.close(); return; }
+
+    try {
+      const result: any = await invokeAction(
+        config.region,
+        config.apiFunctionName,
+        'console',
+        { expression: trimmed },
+      );
+      if (result?.error) {
+        fail(result.error);
+      } else {
+        console.log(formatResult(result?.result));
+      }
+    } catch (err: any) {
+      fail(err.message);
+    }
+    rl.prompt();
+  });
+
+  rl.on('close', () => {
+    console.log('');
+    process.exit(0);
+  });
+}

package/src/cli/commands/db.ts

@@ -0,0 +1,183 @@
+/**
+ * Database commands — run migrations and seed via IAM-authed Lambda invoke.
+ *
+ * These commands invoke the deployed Lambda's onAction handler directly.
+ * No HTTP endpoints, no shared secrets — IAM is the authorization layer.
+ */
+
+import { resolveConfig } from '../config.js';
+import { invokeAction } from '../aws.js';
+import { step, success, fail, info } from '../output.js';
+
+export async function dbMigrateCommand(flags: Record<string, string>): Promise<void> {
+  step('Resolving deployed config...');
+  let config;
+  try {
+    config = await resolveConfig(flags.stage);
+  } catch (err: any) {
+    fail(err.message);
+    process.exit(1);
+  }
+
+  info(`Region: ${config.region}, Function: ${config.apiFunctionName}`);
+  step('Running migrations via Lambda invoke...');
+
+  try {
+    const result: any = await invokeAction(
+      config.region,
+      config.apiFunctionName,
+      'migrate',
+      {},
+    );
+    if (result?.error) {
+      fail(`Migration failed: ${result.error}`);
+      process.exit(1);
+    }
+    success(result?.message || 'Migrations applied');
+  } catch (err: any) {
+    fail(`Migration failed: ${err.message}`);
+    info('Ensure your IAM user/role has lambda:InvokeFunction permission.');
+    process.exit(1);
+  }
+}
+
+export async function dbSeedCommand(flags: Record<string, string>): Promise<void> {
+  step('Resolving deployed config...');
+  let config;
+  try {
+    config = await resolveConfig(flags.stage);
+  } catch (err: any) {
+    fail(err.message);
+    process.exit(1);
+  }
+
+  info(`Region: ${config.region}, Function: ${config.apiFunctionName}`);
+  step('Running seed via Lambda invoke...');
+
+  try {
+    const result: any = await invokeAction(
+      config.region,
+      config.apiFunctionName,
+      'seed',
+      {},
+    );
+    if (result?.error) {
+      fail(`Seed failed: ${result.error}`);
+      process.exit(1);
+    }
+    if (result?.skipped) {
+      info(result.message);
+    } else {
+      success(result?.message || 'Seed complete');
+    }
+  } catch (err: any) {
+    fail(`Seed failed: ${err.message}`);
+    info('Ensure your IAM user/role has lambda:InvokeFunction permission.');
+    process.exit(1);
+  }
+}
+
+export async function dbResetCommand(flags: Record<string, string>): Promise<void> {
+  step('Resolving deployed config...');
+  let config;
+  try {
+    config = await resolveConfig(flags.stage);
+  } catch (err: any) {
+    fail(err.message);
+    process.exit(1);
+  }
+
+  info(`Region: ${config.region}, Function: ${config.apiFunctionName}`);
+  info('This will DROP every schema (auth, dist, logs, ops, public) and re-run migrations.');
+  step('Resetting database via Lambda invoke...');
+
+  try {
+    const result: any = await invokeAction(
+      config.region,
+      config.apiFunctionName,
+      'db:reset',
+      {},
+    );
+    if (result?.error) {
+      fail(`Reset failed: ${result.error}`);
+      process.exit(1);
+    }
+    success(result?.message || 'Database reset and migrations applied');
+  } catch (err: any) {
+    fail(`Reset failed: ${err.message}`);
+    info('Ensure your IAM user/role has lambda:InvokeFunction permission.');
+    process.exit(1);
+  }
+}
+
+export async function dbPsqlCommand(flags: Record<string, string>): Promise<void> {
+  step('Resolving deployed config...');
+  let config;
+  try {
+    config = await resolveConfig(flags.stage);
+  } catch (err: any) {
+    fail(err.message);
+    process.exit(1);
+  }
+
+  info(`Region: ${config.region}, Function: ${config.apiFunctionName}`);
+
+  // If -c flag is provided, execute SQL via Lambda and return results
+  if (flags.c) {
+    step(`Executing SQL query...`);
+    try {
+      const result: any = await invokeAction(
+        config.region,
+        config.apiFunctionName,
+        'db:query',
+        { sql: flags.c },
+      );
+
+      if (result?.error) {
+        fail(`Query failed: ${result.error}`);
+        process.exit(1);
+      }
+
+      // Display results in psql-like format
+      if (result.rows && result.rows.length > 0) {
+        // Get column names from first row
+        const columns = Object.keys(result.rows[0]);
+
+        // Calculate column widths
+        const widths = columns.map(col => {
+          const maxDataWidth = Math.max(
+            ...result.rows.map((row: any) => String(row[col] ?? '').length)
+          );
+          return Math.max(col.length, maxDataWidth);
+        });
+
+        // Print header
+        console.log(columns.map((col, i) => col.padEnd(widths[i])).join(' | '));
+        console.log(widths.map(w => '-'.repeat(w)).join('-+-'));
+
+        // Print rows
+        result.rows.forEach((row: any) => {
+          console.log(
+            columns.map((col, i) => String(row[col] ?? '').padEnd(widths[i])).join(' | ')
+          );
+        });
+
+        console.log(`(${result.rows.length} row${result.rows.length === 1 ? '' : 's'})`);
+      } else {
+        success('Query executed successfully (0 rows)');
+      }
+
+      process.exit(0);
+    } catch (err: any) {
+      fail(`Query failed: ${err.message}`);
+      info('Ensure your IAM user/role has lambda:InvokeFunction permission.');
+      process.exit(1);
+    }
+  }
+
+  // Interactive mode: not supported for private RDS
+  fail('Interactive psql mode not supported for private RDS instances.');
+  info('Use -c flag to execute SQL queries via Lambda: everystack db:psql -c "SELECT * FROM users;"');
+  info('The Lambda function executes queries from within the VPC where it can reach the database.');
+  process.exit(1);
+}